Carnivore: A System Admin's Concerns

You've probably read a good deal about Carnivore, and know that the FBI's scheme to grab and save the Internet traffic (email, web page requests, newsgroup posts) of suspected criminals has drawn the wrath of civil libertarians.

System administrator's are already familiar with the technology Carnivore emulates, and it's worth noting that the power it grants federal authorities -- the ability to grab and read a user's Internet traffic -- is already in the hands of system administrators. Apparently, we trust ourselves and our fellow system administrators more than we trust the Feds, even though the FBI needs a court order to access this information while the average administrator only needs a few spare minutes.

The technology behind Carnivore is not especially sophisticated. Carnivore is essentially a packet-sniffer with a bunch of built-in filters. A packet-sniffer is a tool that captures, or "sniffs," the traffic on a network.

Carnivore's filters ensure the system is complying with the court order under which it operates and only the allowed communications are intercepted. The FBI sets one filter, so only the suspect's data is captured. Other filters then limit the types of data that can be captured -- email, web pages, whatever. Finally, even more specific filters are set to look for certain keywords, or communications from specified parties.

If this works correctly, it means the FBI would nab email about a suspect's drug flight into Texas, while it would not see email about that suspect's virtual love affair with his neighbor on Usenet.

What Gives Them The Right?

Just as with a phone wiretap, the FBI must get the authorization
of a federal judge to use Carnivore. To get this court order, they must convince the judge that they have probable cause for certain federal felonies. Further, other surveillance techniques must prove either too dangerous or ineffective. If those criteria are met, the FBI is limited to intercept only communications between the suspect and other named individuals, via specific means. For example, the order may specify that only newsgroup messages between the suspect and John Doe may be intercepted.

Beyond the above requirements, the court order lasts a maximum of 30 days (plus a potential 30-day extension), and the FBI is often required to provide progress reports every 7 to 10 days to the judge that issued the order. If the judge feels the desired information has been obtained, he may terminate
the order prematurely.

Once it has federal authorization, the FBI then needs permission from the suspect's ISP. This step is often avoided in the case of wiretaps because of long-standing agreements between the Bells and the FBI. Certain ISPs, such as EarthLink, have public policies refusing to allow Carnivore. However, the only way they can legally do this is if they can provide the FBI with the same data Carnivore would otherwise gather. So while Carnivore is only put into place for a specific reason for specific times, EarthLink can monitor all of its customers, all of the time. Who's worse: the Fed or the private industry, selling all of your data to marketers?

If an ISP should refuse to allow Carnivore, and can not provide the necessary data, the FBI can obtain a court order forcing the ISP to allow them to install Carnivore.

The FBI needs a court order to view a suspect's mail, but any system administrator in the back room can already grab and read email at will. Should we be more worried about the FBI than the legions of unscreened sysadmins? Post your comments

But can we trust the FBI to respect those limits? Some of its comments about Carnivore suggest that the FBI is not even sure about the technology they're using, and unaware how many others have the same power. The good news is, the system is easy enough to defeat for anyone willing to take a few precautionary measures.

Carnivore's care and feeding

Last year, I got a peek at Carnivore when FBI agents gave a talk in the Cyber Law and Society class I was taking at Harvard. Supervisory Special Agent Barry Smith and an associate told us the rise in Internet communications threatens the FBI's ability to fight crime, and Carnivore is one of the ways they hope to keep up. As more communication goes online, criminals are taking their activities there -- for planning, communication, and execution. Groove is useful for collaborative programming, but it could just as easily be used to plan a terrorist attack across international borders.

To install Carnivore at an Internet service provider, the FBI has to obtain a warrant, similar to a wiretap. (See the sidebar, "What Gives Them the Right?" for more details on the legalities.) The FBI asks the ISP isolate the suspect's connection to a "quiet" part of its LAN. This allows the FBI to connect without being overly obtrusive, and prevents its machine from being pelted with a lot of uninteresting data.

From there, the agency configures the necessary filters, then pushes the Monitor button. A stats screen pops up, and every day the captured data is written to a Zip disk. A field agent retrieves the disk and inserts a fresh one each day or week, taking the full disk back to the office for analysis.

My security concerns

Sounds simple enough. But as a system administrator, I have a few concerns.

The first is that Carnivore runs on NT. As a Unix administrator, I see this as a very bad thing. Windows NT has many well-known security flaws, and the Carnivore machine itself could be compromised unless all security patches are applied when they're made available. Even then, unpublished flaws (without patches) leave the machine vulnerable. The FBI says it puts a firewall between the Carnivore box and the rest of the ISP, and a team of security experts tends to NT patches. Even so, if you're not concerned about the FBI reading your email, you should be concerned that the Carnivore box could be hacked.

My second concern is that, depending on how the filters are set, Carnivore can capture any amount of data the FBI would like. The agents said Carnivore "only connects at Ethernet speeds," as if to suggest this limits the amount of data the agency can grab. This struck a chord, so I asked about it after their talk. After saying that OC-128 and Gigabit Ethernet are faster (to which I replied with a glare), he said that Carnivore sees too much data to store it all, and the FBI couldn't archive it. I pointed out that a 40-gigabyte hard drive costs only $150 these days, but he responded "we don't have time to look at all that data." I didn't want to argue more, or tell them about Perl.

Haven't I seen this before?

In fact, it seems to me that Carnivore could be replaced with tcpdump and Perl.
tcpdump is a packet-sniffer, and a standard Unix utility. It can restrict what is captured based on the type of data and its destination. For example, it could store just email and web pages going to a suspect's IP address.
The captured data could then be analyzed with Perl to discard everything but authorized interceptions, say, emails to another suspect or access to specific web pages.

Because it seems so easy to replace Carnivore with these open-source tools, I asked if the FBI would consider open-sourcing Carnivore, arguing that it would alleviate the public's concerns as to Carnivore's capabilities. Barry's face grew a bit dark at that. He maintained that only the FBI should be allowed to use such a program, and that anyone who codes a similar program must be breaking the law. He's obviously not a system administrator.

The FBI's argument about limited storage capacity argument is less than convincing, as is the "slow" Ethernet connection argument. The limited manpower argument carries a bit more weight, but Perl provides an excellent point of contention. However, if the FBI developers have expended this much effort to recreate tcpdump, it makes me wonder if they'd be able to use Perl. Perhaps they'd roll their own there, too, creating OysterEater.

You'll never take my data alive!

So what can privacy-conscious individuals do to prevent the FBI from reading their emails and seeing that they've visited porn sites?

Encrypt your email with SMIME or PGP.

Use a service like Anonimizer.com, which hides all web traffic to your desktop by sending encrypted web requests through many of its servers, none of which know where the data ultimately came from.

Use FreeNet to exchange files.

Or, more simply, don't commit crimes that will make the FBI take an interest in you.

Special Agent Smith addressed these issues without anyone bringing them up. If Carnivore is easily defeated, is it valuable? It is, he said, because the average criminal isn't all that bright. He cited an example of one suspect whose phone was tapped saying, "You should whisper, the line might be tapped." He also noted that devices used to scramble telephone calls are widely available, but infrequently used.

Although I'm concerned with Carnivore's capabilities, I believe FBI agents truly need it to do their jobs effectively, and would be hard-pressed to find a much better, less-intrusive solution. While Carnivore is potentially more intrusive than wiretaps, the FBI has proven its restraint with them, and has not abused that power. Why should IP wiretaps prove any different?

If it seems I'm being sympathetic to the FBI, please look at system administrators. At their companies, these folks are graced with the power to read anyone's mail that they want, to play with people's private files, and can easily impersonate their company's CEO. They can do this very quietly, so that no one notices. They generally have no security clearance. Few have sworn to uphold their company's ideals. However, very few abuse the power that they've been given, instead using their powers for good.

Massive conspiracy theories aside, why should we believe that FBI agents are any different? They're deeply involved in criminal cases when they deploy Carnivore -- much like a system administrator would be involved with routing out a cracker when deploying tcpdump.

Sure, the capability is there to read their boss's mail, but who has the time?

Mike DeGraw-Bertsch
is a security and Unix system administration
consultant in the Boston, Mass. area. When he's not at a job, writing,
hacking with Perl, or playing with his wireless network, he can usually be
found playing goal in ice hockey.